[
https://issues.apache.org/jira/browse/RANGER-5215?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Dhaval Shah updated RANGER-5215:
--------------------------------
Description:
At present, If usersync is configure for case conversion and special character
replacement using regex it will convert the original name of users/groups and
stored it into Ranger database.
Example : _original name in AD / LDAP : John-jacobs_
*usersync property set to*
{code:java}
ranger.usersync.ldap.username.caseconversion = lower
ranger.usersync.mapping.username.regex = s/[-]/_/g{code}
*will convert the name to*
_converted name : john_jacobs_
Now for example plugin hive uses the original name such as _John-jacobs_ for
any operation in this case authorisation fails on Ranger Admin side becuase
user with that name does not exists.
We might faced the issue such
{code:java}
Permission denied: user [John-jacobs] does not have [SELECT] privilege on
[vehicle/cars/*] {code}
We need to come with same transformation logic as we have on usersync side in
order to pass the authorisation.
Also, this feature needs to be configurable on plugin side using property so it
can be turn on whenever its required.
*Problem Statement:*
Currently, when Ranger Usersync is configured with case conversion and special
character replacement using regex, it transforms the original user/group names
from the source (e.g., AD/LDAP) before storing them in the Ranger Admin
database.
*Example:*
* Original name in LDAP/AD: {{John-jacobs}}
* Usersync configuration:
** {{ranger.usersync.ldap.username.caseconversion = lower}}
** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}}
* Transformed and stored name in Ranger: {{john_jacobs}}
*Issue:*
If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during
authorization checks, it fails because Ranger Admin only recognizes the
transformed name {{{}john_jacobs{}}}.
*Error Example:*
{code:java}
Permission denied: user [John-jacobs] does not have [SELECT] privilege on
[vehicle/cars/*] {code}
*Solution:*
To ensure consistency, the same transformation logic used by Usersync must also
be applied on the plugin side before authorization. This transformation should
be made available as a utility library packaged with the plugins.
*Configurability:*
This feature must be configurable at the plugin level via a property (e.g.,
{{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing
users to enable or disable it based on their environment needs.
> Policy authroisation fails for Ranger Plugins in case of users/groups
> converted by Ranger userysnc as per given Regex
> -----------------------------------------------------------------------------------------------------------------------
>
> Key: RANGER-5215
> URL: https://issues.apache.org/jira/browse/RANGER-5215
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger, usersync
> Reporter: Dhaval Shah
> Assignee: Dhaval Shah
> Priority: Major
>
> At present, If usersync is configure for case conversion and special
> character replacement using regex it will convert the original name of
> users/groups and stored it into Ranger database.
> Example : _original name in AD / LDAP : John-jacobs_
> *usersync property set to*
> {code:java}
> ranger.usersync.ldap.username.caseconversion = lower
> ranger.usersync.mapping.username.regex = s/[-]/_/g{code}
> *will convert the name to*
> _converted name : john_jacobs_
> Now for example plugin hive uses the original name such as _John-jacobs_ for
> any operation in this case authorisation fails on Ranger Admin side becuase
> user with that name does not exists.
> We might faced the issue such
> {code:java}
> Permission denied: user [John-jacobs] does not have [SELECT] privilege on
> [vehicle/cars/*] {code}
> We need to come with same transformation logic as we have on usersync side in
> order to pass the authorisation.
> Also, this feature needs to be configurable on plugin side using property so
> it can be turn on whenever its required.
> *Problem Statement:*
> Currently, when Ranger Usersync is configured with case conversion and
> special character replacement using regex, it transforms the original
> user/group names from the source (e.g., AD/LDAP) before storing them in the
> Ranger Admin database.
> *Example:*
> * Original name in LDAP/AD: {{John-jacobs}}
> * Usersync configuration:
> ** {{ranger.usersync.ldap.username.caseconversion = lower}}
> ** {{ranger.usersync.mapping.username.regex = s/[-]/_/g}}
> * Transformed and stored name in Ranger: {{john_jacobs}}
> *Issue:*
> If a Ranger plugin (e.g., Hive) uses the original name {{John-jacobs}} during
> authorization checks, it fails because Ranger Admin only recognizes the
> transformed name {{{}john_jacobs{}}}.
> *Error Example:*
> {code:java}
> Permission denied: user [John-jacobs] does not have [SELECT] privilege on
> [vehicle/cars/*] {code}
> *Solution:*
> To ensure consistency, the same transformation logic used by Usersync must
> also be applied on the plugin side before authorization. This transformation
> should be made available as a utility library packaged with the plugins.
> *Configurability:*
> This feature must be configurable at the plugin level via a property (e.g.,
> {{{}ranger.plugin.<serviceType>.supports.name.transformation{}}}), allowing
> users to enable or disable it based on their environment needs.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
